Bug#907899: marked as done (stretch-pu: package mailman/1:2.1.23-1+deb9u4)

Debian Bug Tracking System Sat, 10 Nov 2018 02:53:38 -0800

Your message dated Sat, 10 Nov 2018 10:42:56 +0000
with message-id <[email protected]>
and subject line Closing bugs for updates included in 9.6
has caused the Debian Bug report #907899,
regarding stretch-pu: package mailman/1:2.1.23-1+deb9u4
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
907899: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=907899
Debian Bug Tracking System
Contact [email protected] with problems

--- Begin Message ---

Package: release.debian.org
Severity: normal
Tags: stretch
User: [email protected]
Usertags: pu

Hi

Mailman in stretch is affected by the minor issue CVE-2018-13796,
allowing to inject text in the "No such list" error response. See
https://bugs.launchpad.net/mailman/+bug/1780874 . This won't warrant a
DSA.

debian/changelog entry:

> mailman (1:2.1.23-1+deb9u4) stretch; urgency=medium
> 
>   * Non-maintainer upload.
>   * Arbitrary text injection vulnerability in Mailman CGIs (CVE-2018-13796)
>     (Closes: #903674)
> 
>  -- Salvatore Bonaccorso <[email protected]>  Mon, 03 Sep 2018 22:00:38 +0200

and full debdiff attached against the 1:2.1.23-1+deb9u3 version.

The issue has been tested in a container instance with the hint given by
https://bugs.launchpad.net/mailman/+bug/1780874 .

Regards,
Salvatore

diff -Nru mailman-2.1.23/debian/changelog mailman-2.1.23/debian/changelog
--- mailman-2.1.23/debian/changelog     2018-07-14 23:26:09.000000000 +0200
+++ mailman-2.1.23/debian/changelog     2018-09-03 22:00:38.000000000 +0200
@@ -1,3 +1,11 @@
+mailman (1:2.1.23-1+deb9u4) stretch; urgency=medium
+
+  * Non-maintainer upload.
+  * Arbitrary text injection vulnerability in Mailman CGIs (CVE-2018-13796)
+    (Closes: #903674)
+
+ -- Salvatore Bonaccorso <[email protected]>  Mon, 03 Sep 2018 22:00:38 +0200
+
 mailman (1:2.1.23-1+deb9u3) stretch-security; urgency=high
 
   * Non-maintainer upload by the Security Team.
diff -Nru mailman-2.1.23/debian/patches/94_CVE-2018-13796.patch 
mailman-2.1.23/debian/patches/94_CVE-2018-13796.patch
--- mailman-2.1.23/debian/patches/94_CVE-2018-13796.patch       1970-01-01 
01:00:00.000000000 +0100
+++ mailman-2.1.23/debian/patches/94_CVE-2018-13796.patch       2018-09-03 
22:00:38.000000000 +0200
@@ -0,0 +1,49 @@
+Description: Arbitrary text injection vulnerability in Mailman CGIs
+Origin: upstream, 
https://bugs.launchpad.net/mailman/+bug/1780874/+attachment/5167324/+files/patch.txt
+Bug: https://bugs.launchpad.net/mailman/+bug/1780874
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-13796
+Bug-Debian: https://bugs.debian.org/903674
+Forwarded: not-needed
+Author: Mark Sapiro <[email protected]>
+Reviewed-by: Salvatore Bonaccorso <[email protected]>
+Last-Update: 2018-07-25
+Applied-Upstream: 2.1.29
+
+=== modified file 'Mailman/Utils.py'
+--- a/Mailman/Utils.py 2018-07-11 06:52:22 +0000
++++ b/Mailman/Utils.py 2018-07-24 21:48:54 +0000
+@@ -280,17 +280,28 @@
+ def GetPathPieces(envar='PATH_INFO'):
+     path = os.environ.get(envar)
+     if path:
++        remote = os.environ.get('HTTP_FORWARDED_FOR',
++                 os.environ.get('HTTP_X_FORWARDED_FOR',
++                 os.environ.get('REMOTE_ADDR',
++                                'unidentified origin')))
+         if CRNLpat.search(path):
+             path = CRNLpat.split(path)[0]
+-            remote = os.environ.get('HTTP_FORWARDED_FOR',
+-                     os.environ.get('HTTP_X_FORWARDED_FOR',
+-                     os.environ.get('REMOTE_ADDR',
+-                                    'unidentified origin')))
+             syslog('error',
+                 'Warning: Possible malformed path attack domain=%s remote=%s',
+                    get_domain(),
+                    remote)
+-        return [p for p in path.split('/') if p]
++        # Check for listname injections that won't be websafed.
++        pieces = [p for p in path.split('/') if p]
++        # Get the longest listname or 20 if none.
++        if list_names():
++            longest = max([len(x) for x in list_names()])
++        else:
++            longest = 20
++        if pieces and len(pieces[0]) > longest:
++            syslog('mischief',
++               'Hostile listname: listname=%s: remote=%s', pieces[0], remote)
++            pieces[0] = pieces[0][:longest] + '...'
++        return pieces
+     return None
+ 
+ 
+
diff -Nru mailman-2.1.23/debian/patches/series 
mailman-2.1.23/debian/patches/series
--- mailman-2.1.23/debian/patches/series        2018-07-14 23:26:09.000000000 
+0200
+++ mailman-2.1.23/debian/patches/series        2018-09-03 22:00:38.000000000 
+0200
@@ -12,3 +12,4 @@
 91_utf8.patch
 92_CVE-2018-5950.patch
 93_CVE-2018-0618.patch
+94_CVE-2018-13796.patch

--- End Message ---

--- Begin Message ---

Version: 9.6

Hi,

The update referenced by each of these bugs was included in this
morning's stretch point release.

Regards,

Adam

--- End Message ---

Bug#907899: marked as done (stretch-pu: package mailman/1:2.1.23-1+deb9u4)

Reply via email to